BlackHat/DEFCON, Part 2: My experience

This is part two of my travel blog for going to BlackHatUSA and DEF CON. Part one covered travel and first-time-attender tips in point-form, and you can read it here. In this post I am going to speak about my experience at DEF CON and, without names, the people that I met there. The post will be broken up into topics rather than chronologically.

This has been difficult to sit down and write because of a lot of interpersonal drama that happened on Twitter and in the convention halls that I, frankly, don't want to discuss again. I wanted to talk about things that did not have to do with the drama.

First Impressions

After I arrived at the Ceasers on Thursday, I met up with some people and had to deal with that. I had been explaining who I was to everyone that I already knew online for a couple days at BlackHatUSA and had become increasingly comfortable with the process. Approaching people, though, never got easier, but I learned to introduce myself and follow with my twitter handle. From there I could read their reaction and figure out how to explain it to them.

From there we went and stood in the lines for to purchase our badges. I didn't know the person buying our badges and the person I did know brought someone else along that I didn't know or expect. The line was long, and snaked through several rooms. After we got our badges, our patron had to return to another event for a talk, so I joined the others wandering around DEF CON for a bit.

Many people tend to think that I am bad at interactions when they first meet me. When I encounter someone new my instinct is to observe how they interact with others. I can ease myself in once I know what topics to avoid or what aspects of my personality it would be safer to keep quiet. This leads me to being very quiet or engaging just enough to not be awkward. My experience during a lot of DEF CON was frustrating in that regard because I would end up having to start over when new people joined a conversation.

My primary goal during DEF CON was not to network with new people or make new friends, but rather to seek out people I already knew and make face-to-face connections. This would mean that in the future I could begin networking through them since I will have already learned their social boundaries. I would not have to split my focus so much trying to learn so many people at once.

The problem of "too many people at once" was rather unavoidable. Having to introduce myself, read their reaction, and judge how easiest to explain to them was exhausting.

Taking a Breather

Vegas was loud, and crowded. There was a lot of travel between my hotel and venues. Repeated travel became expensive if I wanted to go somewhere quiet for half an hour. I found myself wanting to retreat from the conference often and recharge. I've learned that I am at my best during interactions when I have given myself time to recharge and made sure that I am hydrated and fed.

All of those things turned out to be more difficult to accomplish than I expected. The hotel was too far away to crash for half an hour and then go back to the conference, meaning that leaving the floor was a day-ending decision. Staying fed was difficult due to eateries being so far away from Ceasers - something I solved Saturday and Sunday when I discovered a convenience store in the basement of the casino. They sold trail snack bars that were quite good for roughly $3.50 USD. While that wasn't a meal it kept me going better than not eating at all. Staying hydrated was the easiest part because I drank tap water. It didn't taste good, but also I didn't die or fall ill, so that's a win.

There are several chill-out areas, but they all had DJs playing loud music and it was difficult to listen to other people talk. In the future, I will probably bring earplugs and go there to chill on the floor. It isn't a replacement for a quiet, private room, so we'll see. I might do the same in many of the quieter hallways around the conference area where foot traffic isn't so heavy.

InfoSec Unlocked
Volunteers. From left to right: @artemis_134,
@Straithe, @sushidude, @Tarah

My highlight of DEF CON was my time spent in the room reserved for @ISUnlocked. InfoSec Unlocked is a diversity and outreach group that ran workshops to help people learn how to get started as a conference speaker.

The room was tucked away in a side hallway in the convention center, and stayed quiet all weekend. The volunteers did an excellent job looking after the people who dropped by and ensuring a safe, comfortable space for as many people as possible. When I go back to DEF CON, whenever that is, I will definitely spend more time with that group.

I'm going to talk about some of the discussions I overheard while I was there, and how those discussions were moderated. There was an air to the environment there that made me feel more comfortable than any other space at DEF CON, or really anywhere. The volunteers, and those that came to listen to them, adhered to a principle that I learned some years ago: Listen first, speak second.

When someone asked a full question, everyone waited until the question was complete before answering. When someone was speaking, they were not interrupted. People did not speak for others, instead they passed the conversation so someone could speak for themselves.

There was a period where two Europeans were discussing differences between American views on handling diversity and their own. While they spoke they did not overwrite or invalidate the experiences of the volunteer they were speaking to and both the two people and the volunteer were taking notes on the other's experiences. While mutual respect exists in many spaces, it felt so much more important and deliberate there. It was a concentrated effort.

My time at DEF CON did not yield technical, or computer-oriented skills. What I took away was other's experiences that will inform how I handle situations in the future. As one might expect if they follow me on social media, I consider this far more valuable than any workshop on how to pop a Windows box.

I learned the most during discussions of sexual harassment. This is an area where I listen closely to the experiences of others. I won't discuss the details of the conversations, but I will point-form what I took from it. There's a bunch that I already knew, but hearing someone's experiences put them into context.
  • Immediate action first, followed by long-term solution.
  • Ask what solution the person reporting harassment is looking for. Do that. "Do you want them removed? Do you want to get out of here?"
  • Long-term solution is secondary to immediate safety. "What can I do for you right now?"
  • Do not interrogate someone who has just experienced harassment. Trust them now, help them now, you can investigate later.
  • When someone reports harassment, establish that you are on their side quickly. "This person grabbed me." "What's their name? They're banned for life. How can I help right now?"
  • When escorting someone to safety, physically shield them from strangers. V formation. Flank them until they are somewhere safe. This idea is not to physically protect them, but to put them at ease knowing people are looking out for them.
  • If someone who reported harassment intends to leave and you intend on removing the person who harassed them, give them time to get clear before kicking our their harasser.
  • Something I to mention here: Do not name the victim to their harasser. Never do this.

Conclusion

I enjoyed DEF CON. Something that I heard from a lot of people was that they loved DEF CON because it is one of the first places they ever felt like they belonged. I understand why that would be the case for others. Frankly, I have never felt more like an impostor than when I listened to people discuss their passions at DEF CON.

I felt out of place because my technical experience isn't there yet. My experience is such that I know of the existence of many fields and tools, but not enough to survive a conversation about any of them. That will not be the case when I return to DEF CON.

It was a good experience. I intend on making the trip again in the future, when I am in a better position to do so financially. The next time I attend I will be more prepared, and will be able to make more use of my time there than I did this year.

About the Author

AwfulyPrideful is a networking and telecommunications student with a passion for infosec. They can be found on twitter talking about infosec, technology, games, and politics. They maintain a blog of their journey into infosec, explaining complex topics in layman's terms, sharing the lessons they learn, and providing commentary of tech culture. If you want to support them directly you can do so via paypal, and patreon.

Update (2018-01-12)

My new blog is available here. Updated the outdated paypal link in the section above.

Comments

Popular posts from this blog

InfosecN00bs, Part 1: Press Release

BlackHat/DEFCON, Part 1: Travel Advice

InfosecN00bs, Part 2: Fixing the Problem